Miscellaneous fixes (#22779)

* block ffmpeg args in custom exports for non-admin users only

* prune expired reconnect timestamps periodically in watchdog loop

reconnect timestamps were only pruned when a new reconnect
occurred. This meant a single reconnect would persist in the count indefinitely instead of expiring after 1 hour

* formatting

frigate/api/export.py

@@ -548,7 +548,11 @@ def export_recording_custom(
 
     export_id = f"{camera_name}_{''.join(random.choices(string.ascii_lowercase + string.digits, k=6))}"
 
-    # Validate user-provided ffmpeg args to prevent injection
+    # Validate user-provided ffmpeg args to prevent injection.
+    # Admin users are trusted and skip validation.
+    is_admin = request.headers.get("remote-role", "") == "admin"
+
+    if not is_admin:
         for args_label, args_value in [
             ("input", ffmpeg_input_args),
             ("output", ffmpeg_output_args),

frigate/record/export.py

@@ -36,22 +36,20 @@ logger = logging.getLogger(__name__)
 DEFAULT_TIME_LAPSE_FFMPEG_ARGS = "-vf setpts=0.04*PTS -r 30"
 TIMELAPSE_DATA_INPUT_ARGS = "-an -skip_frame nokey"
 
-# ffmpeg flags that can read from or write to arbitrary files.
+# ffmpeg flags that can read from or write to arbitrary files
-# filter flags are blocked because source filters like movie= and
-# amovie= can read arbitrary files from the filesystem.
 BLOCKED_FFMPEG_ARGS = frozenset(
     {
         "-i",
         "-filter_script",
-        "-vstats_file",
-        "-passlogfile",
-        "-sdp_file",
-        "-dump_attachment",
         "-filter_complex",
         "-lavfi",
         "-vf",
         "-af",
         "-filter",
+        "-vstats_file",
+        "-passlogfile",
+        "-sdp_file",
+        "-dump_attachment",
         "-attach",
     }
 )
@@ -62,8 +60,11 @@ def validate_ffmpeg_args(args: str) -> tuple[bool, str]:
 
     Blocks:
     - The -i flag and other flags that read/write arbitrary files
+    - Filter flags (can read files via movie=/amovie= source filters)
     - Absolute/relative file paths (potential extra outputs)
     - URLs and ffmpeg protocol references (data exfiltration)
+
+    Admin users skip this validation entirely since they are trusted.
     """
     if not args or not args.strip():
         return True, ""

frigate/video/ffmpeg.py

@@ -471,8 +471,16 @@ class CameraWatchdog(threading.Thread):
                     p["cmd"], self.logger, p["logpipe"], ffmpeg_process=p["process"]
                 )
 
-            # Update stall metrics based on last processed frame timestamp
+            # Prune expired reconnect timestamps
             now = datetime.now().timestamp()
+            while (
+                self.reconnect_timestamps and self.reconnect_timestamps[0] < now - 3600
+            ):
+                self.reconnect_timestamps.popleft()
+            if self.reconnects:
+                self.reconnects.value = len(self.reconnect_timestamps)
+
+            # Update stall metrics based on last processed frame timestamp
             processed_ts = (
                 float(self.detection_frame.value) if self.detection_frame else 0.0
             )